§ Motion made, and Question proposed, That this House do now adjourn.—[Mr. Garel-Jones.]2.40 pm
§ Mr. Geoffrey Dickens (Huddersfield, West)
Privacy of the individual is a very broad subject to define accurately. However, let us consider the three forms of rights to privacy.
First, we have what can be regarded as "general rights"—usually specified as protection from intrusion in domestic affairs and from surveillance, harassment, exposure and embarrassment. Secondly, there are specific "legal rights" which touch on privacy, such as those protected by the laws of confidence, defamation, trespass or contract. Thirdly, we have what are best described as "procedural rights", such as the rules governing the use of personal information, especially that required compulsorily by the Government, banks, insurance companies, credit card agencies and such bodies as the vehicle and excise licence department at Swansea or the central police computer.
To utilise the limited time that this Adjournment debate provides, I intend to concentrate on the third category—namely, data protection.
Before moving to my central theme, I wish to record that I am deeply concerned about the spread of telephone tapping, surveillance of the Royal Mail, bugging of premises and so on. It appals me how easily electronic devices can be purchased in the United Kingdom by individuals or private detectives to intrude illegally on people's privacy. I shall deal with those elements on another occasion.
It should be understood that personal information, and especially financial information, whether obtained improperly or legitimately for a specific purpose, and whether obtained from the subject or a third party, and with or without his knowledge or consent, gains a currency and value of its own. It is quite alarming how such information is traded without reference to the interests or wishes of the subject and can be, and indeed is, used as basis of important decisions, such as the refusal of credit or employment without the possibility of redress or, in most cases, knowledge of what has caused the refusal. Data protection must place a great responsibility on those who gather information and store information.
It was very disappointing that, when the Home Secretary announced that the United Kingdom would sign the new European convention at an early date, he said at the same time that he would not set up an independent data protection authority, which is the condition for the credibility of any data protection legislation and the basis for all the European data protection laws. I do just wonder whether the Home Secretary is in an impossible role. Let me explain. In all the hundreds of Government computer memory banks holding personal information in health, social security, tax and many other areas of the citizen's private life, there are only three with interests hostile to the people with whom they deal—police intelligence, national security and immigration.
The Home Office is responsible for all three and, in a great effort to protect the work of the Department, it is possible that any legislation to protect individuals' privacy may be diluted. The Home Office may not be the right Department to present such legislation.
623 Having referred to the devious use of private details in the areas of credit and employment, let me give other examples of misuse. To qualify for certain credit cards a great deal of information is required, supported by evidence from one's bank, accountant and company. A print-out of those clients delivered into the hands of mailing companies results in unsolicited material arriving in the post, which can be a great nuisance. Whether such lists are obtained unlawfully or legitimately, they provide a list of people earning above a certain salary and a mailing list of executive items would have a better return from them. A list of high salary earners in the wrong hands is surely also valuable to criminals who specialise in robbing domestic premises.
Another classic example of misuse was the letter that I received from a motorway service area, where I had stopped for petrol. The letter informed me that the operator had not placed my credit card in the machine correctly, and that neither my name and address nor my card number was legible. A copy of my credit card slip was attached and the only identification was my vehicle registration number. Somehow, the garage had gained access to the vehicle and excise licence department at Swansea, the only place from which the service station could have obtained my name and address. That must be common practice, because why else would people be asked to write their car registration on the slip when making payment by credit card?
How many overseas contracts are we losing because we are not paying enough attention to data protection? When international companies gain access to our computers they know our quotation price for, say, a power station worth £750 million. When the prizes are big, people will do all sorts of things for information. To gain export guarantee facilities, companies are required to reveal to the ECGD a breakdown of the price. When the sealed bids are opened overseas on the same day, is it any wonder that we lose major contracts because of commercial espionage? It is common knowledge that banks lose millions of pounds from computer fraud, but I would not expect confirmation because of depositor confidence.
Computers are wonderful tools of commerce, industry and Government, but the memory banks are like a sieve. I believe that we need a data protection squad of computer experts reporting to an independent data protection authority, who would act like ferrets, hunting and delving into any scent of infiltration or intrusion into privacy.
We need the best brains not only designing computers, but protecting computers. One such likely candidate in the future may be young Ruth Lawrence, aged 11 years, who is the youngest person ever to gain a maths and computer scholarship to Oxford. She lives in my constituency and is considered a computer genius for her age. That is the sort of youngster we shall need to safeguard computer legislation.
Extremely severe sentences must be available to the courts for those who are the custodians of private data and who allow such information to pass into the hands of others.
I hope that my modest contribution will be taken on board by the Home Office and that my right hon. Friend the Home Secretary will contemplate the dangers to individual privacy if proposed legislation falls short of the requirements.
§ The Minister of State, Home Office (Mr. Timothy Raison)
I am sure that the House is grateful to my hon. Friend the Member for Huddersfield, West (Mr. Dickens) for raising this subject of privacy and especially of data protection. He has done so in his usual forthright and vivid way. I listened with great care and interest to what he said.
Anyone who has the sense that his privacy is threatened feels himself to be in some way under attack. I recognise the anxiety that some people experience in this respect, especially in the face of the rapid advance in recent years of the mechanical means by which information can be stored and retrieved.
In a way, this debate is a shade premature, because a full statement of the Government's position is due to be published in a White Paper very shortly. I do not think that my hon. Friend will expect me to anticipate in detail what we shall say in that White Paper.
Nevertheless, it is proper for me to outline the thrust of the Government's approach, and I hope that it will reassure my hon. Friend that the Government are taking this problem extremely seriously and that the proposals that we shall be bringing forward will be effective.
The basic statement of the principles which should apply in this area is to be found in the report of the Younger committee, published in 1972. The principles which it identified included that information should be obtained lawfully and be held for a specific purpose; that access should be confined to authorised persons; that the amount of information collected should be the minimum required to achieve the purpose and should be kept for a limited period; that the information should be adequate and relevant; that there should be arrangements for telling the data subject about information concerning him, and for correcting inaccuracies; and that there should be proper security precautions. These principles were embodied, broadly speaking, into the Council of Europe data protection convention which was signed by the United Kingdom last year and is now open for ratification. As the forthcoming White Paper will show, it is the Government's intention to act as early as possible in order to ensure that data users comply with those principles.
It is now well known that the Government have decided that the best way to achieve that objective, and at the same time impose the minumum additional burden on the public and private sectors, is by a system of registration. The existence of a publicly accessible register with a requirement in most circumstances on data users to provide individual applicants with access to the informatin stored about them should, we believe, go a long way towards allaying public anxiety about networks of personal information handled without the knowledge of the individuals concerned for purposes of which they are unaware and cannot ascertain from any acknowledged authority.
The job of the registrar who, I stress, will be wholly independent of the Government and will report annually to Parliament, will be to register the details of all users of computerised personal data and the purposes for which that data is held. On occasion, he may need to make further inquiries of the data user, and he will be able to investigate complaints. He will be empowered to require a data user to modify his system, for example, if inadequate security provisions are brought to his attention or if the user is disclosing information in a way 625 incompatible with the registered purpose. Clearly, there will have to be sanctions to ensure that these objectives are met.
My hon. Friend questioned whether we were right to go for an independent data protection authority. However, there is this difference between our approach and that of the Lindop committee. We believe firmly that independence is necessary. It is simply a question whether these powers that have to be exercised can be exercised more effectively by a nominated independent registrar or whether it is better to go along the path of an authority which, in a sense, has something of the quango about it. However, the main point is that we accept fully the argument for independence.
The Government will not be proposing statutory codes of practice in every sector—basically because we do not believe it possible to provide from the centre for the variety of systems that codes of practice, if they are to be meaningful, would have to cover. But we envisage that certain individual sectors will draw up their own codes, in consultation with the registrar. We recognise also that there are particularly sensitive areas—defined in the Council of Europe convention asdata revealing racial origin, political opinion or religious or other beliefs, health or sexual life and criminal convictions"—which may well call for regulations governing, for example, the use that is made of such data and the security of the systems in which it is stored. There are, moreover, certain sorts of data which must obviously be kept confidential in the interests of national security. The Government propose to take account of them by appropriate exemptions. The need to do so is fully recognised by the Council of Europe convention, which permits derogation from the general principles in the interests of State security, public safety, the monetary interests of the State or the suppression of criminal offences.
These are the Government's broad intentions in data protection. They will be described in much greater detail when the White Paper is published shortly, and that will make clear the Government's firm resolve to ensure that the greatly increased facility for data handling, which new techniques makes possible, does not present the threat to individual privacy to which my hon. Friend and others have so rightly drawn attention.
I should like to deal with my hon. Friend's experiences on the motorway. I understand that some essential detail in the course of a credit card transaction was not clear. It is suggested that my hon. Friend was contacted as a result of the service station obtaining his name and address through having made a note of his car's registration number. I assure my hon. Friend that personal details are certainly not freely available on production of a car registration number. If there is reasonable cause related to the use of a vehicle—for example, a hit and run driver, or where there is the suspicion that an offence has been committed—the driver and vehicle licence centre will make available the name and address of the registered keeper, but the centre must be satisfied that there is reasonable cause to do so. In this particular case I cannot know whether this was the route by which my hon. Friend was traced, but my right hon. Friend the Secretary of State for Transport or I would be glad to look into this further if we are given the exact circumstances of the case.
§ Mr. Dickens
Does my hon. Friend accept that most users of credit cards are asked to put their car registration number on the slip? The operators sometimes take the number in case a person drives off without paying, but the driver is asked to put the number on the slip. Does that not reinforce my point that that method is adopted in case the operators fall down on their job?
§ Mr. Raison
I am often asked to put my car number on the slip, but I would rather not comment further at this stage. I shall take the matter up with my right hon. Friend the Secretary of State for Transport.
There is also the question of the transfer of personal data by one company to another. I am well aware of the widespread public concern that once one's name and address—and perhaps other details—are on one company's computer, they may be transferred, possibly sold, to another without the person to whom that information applies being either consulted or aware of the transfer. Among the generally, indeed internationally, recognised principles of data protection is the principle that personal data should be stored for a specified purpose and that a subject should normally have access to it. It is also, of course, in the convention that there may have to be certain exceptions; but, as I have already said, the Government will seek to ensure that the general principles are complied with. We shall take due account of the interests of the commercial sector and of the general principle that once a user has registered an operation for a specified purpose, the relevant personal data should not normally be used for any other purpose without consulting the subject. Once our proposals come to fruition, I hope that my hon. Friend's concern will be assuaged.
Another matter that my hon. Friend raised was data protection, in the sense of the security of data stored on computers against unauthorised access. He mentioned two examples. First, he referred to computers being manipulated in order, unknown to the victim, to transfer money fraudulently from one bank account to another. We heard more of that kind of story in the early days of computers when certain alarming things happened. I am not saying that a computer is either infallible or proof against fraudulent use. No system is, whether it is automatic or manual. But if some person seeks to defraud another—whether using a computer or any other means—he is subject to the law. Fraud is fraud.
My hon. Friend also suggested that British companies were losing commercially as a result of foreign competitors raiding their computers, discovering a quotation that was being proposed and being able to undercut it. This is not the occasion for a discussion on industrial espionage. The security of a private sector computer holding commercial data is primarily a matter for the company concerned, not the Government.
However, the security of computers—by that I mean the measures taken to guard against misuse and illicit access—is improving all the time. The measures being taken internationally to protect data held on computers are an important encouragement to the development of computer security. To that extent, I believe that the Government's proposals will make a significant contribution towards ensuring maximum security of data held on computers. That applies not only to personal data, which will be directly affected by the Government's proposals, but to commercial data, which will benefit indirectly from developments in this area.
627 Another question that is sometimes raised is the confidentiality of the census. It is nothing new to hear the concern expressed that the information—often sensitive information—given in the census operation should be scrupulously protected. However, I think that we have a good record in this respect. I believe that there is widespread confidence that census details are fully protected and that the citizen does not put his privacy at risk by co-operating fully in the census operation. There are, of course, statutory provisions to ensure that those employed in the census operation do not divulge the information made available. Indeed, the overall standards of protection are extremely high. My hon. Friend may be assured that we shall maintain that standard, and our proposals on automatically processed data will further enhance the already stringent safeguards.
628 As I have said, we are about to publish a White Paper. I do not think that I can go further than I have gone today in outlining our approach to the whole matter. My hon. Friend was quite right to raise this subject, because it is a matter of great importance. He made his case cogently. I hope that he will at least go away from this debate feeling that we are treating the matter with great seriousness and that he will derive some reassurance from that fact. On top of that, I simply ask him to await the publication of the White Paper.
§ Question put and agreed to.
§ Adjourned accordingly at two minutes past Three o' clock.